I am using Spring Boot - 2.6.6 and Spring Security - 5.7.0-M2 with the spring-security-saml2-service-provider library to create a SAML service provider application. I followed Spring's sample project Spring Security SAML2 Sample so my setup looks very similar.
I want to turn off the generated Login and Logout pages located on /login and /logout. The login page shows a link to each IDP configured and the logout page has a button that initiates the POST logout flow.
They appear to be created by Springs internal code - Saml2LoginConfigurer.initDefaultLoginFilter when Saml2LoginConfigurer.loginPage is not set or the DefaultLoginPageGeneratingFilter is active. Setting the loginPage variable only changes where the login page is displayed and breaks the metadata configuration from my Identity Provider: it does not turn the login page off. I had no success trying to turn off the DefaultLoginPageGeneratingFilter.
How could I do this?
The sample already includes everything needed to automatically redirect to the IDP (Okta in this case) and get redirected back. So the login and logout pages are only accessible if the URL is changed. Having said that, I can see why they are undesirable if they aren't being used.
To disable them, the simplest way is to provide an AuthenticationEntryPoint. This disables the filters that generate the login and logout pages. For example:
http.exceptionHandling((exceptions) -> exceptions
.authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/saml2/authenticate/two"))
)
The reason this works is that it does explicitly what happens behind the scenes in Sample2LoginConfigurer.init while also disabling what happens in Saml2LoginConfigurer.initDefaultLoginFilter.